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(54) Resource access control system. 



(57) Access of a user to a resource, such as a 
telecommunications network, includes storing, 
in a first call data base, a first set of attributes 
concerning an ongoing call from a caller. A 
second call data base stores a second set of 
attributes concerning the history of prior calls 
made by the caller. A rules data base stores 
rules concerning attributes for determining 
whether to disconnect the call, block future 
calls, or take other action. A determination is 
made whether data in at least one of the call 
data bases matches the rules in the rules data 
base. The call is then disconnected, the next 
call blocked, or other action is taken, in res- 
ponse to a match between data the call data 
bases and data in the rules data base. Prefer- 
ably, the second call data base is updated in 
response to matches with the rules data base. 
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FIELD OF THE INVENTION 

This invention relates to preventing fraudulent 
access to a resource, and particularly to methods and 
means for blocking or disconnecting telephone calls, 
in real time, from callers that are attempting to gain 
fraudulent access to telephone networks. 

BACKGROUND OF THE INVENTION 

Fraudulent telephone calls are a major source of 
revenue loss to telephone service providers. They 
also result in customer dissatisfaction when tolls are 
inadvertently charged to the subscriber as a result of 
fraudulently placed calls. Present systems use batch 
mode analysis of call details and sometimes manage 
to detect some types of fraud. This arrangement re- 
quires the telephone company to communicate with 
the culprit to end the abuse. It entails a delay in the 
prevention of fraud. 

An object of the invention is to overcome the dis- 
advantages of prior systems. 

Another object of the invention is to detect and 
block or disconnect fraudulent access demands in 
real time. 

SUMMARY OF THE INVENTION 

According to a feature of the invention, these ob- 
jects are attained by storing, in a control data base, 
a set of attributes concerning an access from an ac- 
cess demand source; maintaining a rules data base 
of rules concerning attributes for determining correc- 
tive action; determining whether data the control data 
base matches the rules in the rules data base; and ef- 
fecting corrective action by disconnecting the access 
during access time in response to a match between 
data in the control data base and data in the rules data 
base. 

According to another feature of the invention, 
storing in the control data base includes storing in a 
first access data base a first set of attributes concern- 
ing the ongoing access. 

According to another feature of the invention, 
storing in the control data base includes storing in a 
second access data base a second set of attributes 
concerning the history of prior accesses made by the 
access demand source; the step of determining 
whether data the access data base matches the rules 
in the rules data base includes determining whether 
to disconnect the access, block future accesses, or 
take other action; and the step of effecting corrective 
action includes disconnecting the access, blocking 
future accesses, or taking other action. 

According to another feature of the invention, the 
second access data base is updated on the basis of 
the matches. 

These and other features of the invention are 



pointed out in the claims. Other objects and advan- 
tages of the invention will be evident from the follow- 
ing detailed description when read in light of the ac- 
companying drawings. 

5 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 illustrates a telephone network embodying 
features of the invention. 
10 Fig. 2 block diagram of a control system in the 

network of Fig. 1 according to an aspect of the inven- 
tion. 

Figs. 3 and 4 show the rules for operation of the 
network and system in Figs. 1 and 2 for CPE fraud ac- 
ts cording to an aspect of the invention. 

Figs. 5 and 6 show the rules for operation of the 
network and control system in Figs. 1 and 2 for CPE 
fraud according to an aspect of the invention. 

Figs. 7 and 8 show the rules for fraud involving 
20 hacking to remote access ports of CPE (Customer 
Premises Equipment) and SDN-NRA (Software De- 
fined Network - Network Remote Access) according 
to an aspect of the invention. 

Fig. 9 shows the rules to detect fraud involving 
25 multiple calls with the same SDN code or cellular MIN, 
and successive cellular calls with far apart originating 
locations from the same caller according to an aspect 
of the invention. 

Figs. 10 to 12 shows the rules for multiple calls 
30 likely to be actual fraud calls through the CPE accord- 
ing to an aspect of the invention. 

Fig. 1 3 shows rules for detecting various kinds of 
miscellaneous fraud according to an aspect of the in- 
vention. 

35 Fig. 14 is a flow chart illustrating operation of the 

system in Figs. 1 and 2. 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

40 

Fig. 1 illustrates an arrangement embodying fea- 
tures of the invention. Here, a telephone switch net- 
work TSN connects a caller, or access demand 
source, ADS to a called party or egress EGR through 
45 two switches or central offices, namely, an originat- 
ing action control point ACPO and a terminating ac- 
tion control point ACPT. The originating action control 
point ACPO and the termination action control point 
ACPT communicate with call detail recording plat- 
so forms (CDRPs) RP1 and RP2 to supply the latter con- 
tinuously with call detail records on a real-time basis. 
The action control points ACPO and ACPT generate 
these records for billing and record keeping by the 
CDRPs. 

ss The CDRPs RP1 and RP2 also communicates 

with a control system CS1 which taps into the event 
message stream in the CDRPs RP1 and RP2 on a 
real-time on-demand basis. This means that the data 



2 




3 EPO 

is available to the control system CS1 while the call 
is going on. The control system CS1 analyzes the in- 
formation elements which are contained in the 
CDRPs RP1 and RP2, as part of the detection of 
fraud events. In one embodiment of the invention, the 
control system CS1 accesses the data on all calls in 
the CDRPs RP1 and RP2. According to a preferred 
embodiment the control system CS1 accesses, from 
the CDRPs RP1 and RP2 only data for particular 
types of calls likely to produce significant fraud costs, 
namely: 

- Calls which are very short duration (<10 sec) 
These are interesting because these may be 
generated by automatic hacking devices. 

- Calls which are very long duration (>20 min). 

- International calls. 

- Calls placed on business customer's equip- 
ments and on business communication servic- 
es. (Fraud call charges are billed mostly to 
business customers.) 

Limiting the access to calls of this sort, eliminates 
the bulk of telephone calls from scrutiny by the control 
system CS1. These eliminated calls are normal calls 
which have a very low probability of incidence of 
fraud. When such incidences do occur, the loss to the 
network is small because they tend to be short dis- 
tance domestic calls of short duration. This prefilter- 
ing, selects only calls which have an economically 
significant fraud cost to the network for transmission 
from the CDRPs RP1 and RP2 to the control system 
CS1. 

According to one embodiment of the invention, 
the CDRPs RP1 and RP2 perform the selection, i.e. 
prefiltering, and according to another embodiment, 
the control system CS1 performs the prefiltering. In 
the latter embodiment, the CDRPs RP1 and RP2 ac- 
cumulate the pref iltered records of all the calls which 
are being originating and progressing through all the 
toll switches of the area served by it for a small and 
convenient interval, say 15 seconds and sends the 
set to the control system CS1 . The data on the pref il- 
tered calls sent to the control system CS1 are herein 
called X- records. 

The control system CS1 also exchanges data 
with a fraud intelligence unit (FIU) FI1, a telephone 
company corporate security administration monitor 
(CSAM) CSA1, and other control systems. The fraud 
intelligence unit FI1 has a database which stores "his- 
toric" information which is used for reference, to de- 
cide whether an information element on a record is 
significant for fraud detection or not. 

According to an embodiment of the invention, the 
database of the fraud intelligence unit FI1 stores the 
following information: 

- PBX AN Is (Private Branch Exchange Automat- 
ic Number Identifications). 

- University PBX's and Centrex's. 

- Suspicious NPAs-NXX for originating num- 
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bers. 

- Suspicious Terminating Numbers. 

- Suspicious Country codes. 

- Forbidden country codes. 

5 - Compromised Authorization Codes. 

- ANrs from detected fraud events. 

- Originating numbers from detected fraud 
events. 

- Terminating numbers from detected fraud 
10 events. 

- Authorization codes from detected fraud 
events. 

- Other optional files entered manually by CSAM 
CSA1 

15 In other embodiments, the FIU FI1 containsother 

information. 

Fig. 2 is a block diagram of the control system 
CS1 in Fig. 1. The control system CS1 is preferably 
in the form of a single processor which performs its 

20 various functions. Fig. 2 shows the control system as 
composed of individual sections, namely a received 
record buffer section RBS1 , an analysis section AS1 , 
a rules section RS1 , and a fraud containment section 
FC1. However, each of the blocks preferably repre- 

25 sents a function of the processor, rather than an in- 
dividual unit, and the processor may perform all the 
functions with the same hardware. Nevertheless, ac- 
cording to an embodiment of the invention, any or all 
the blocks may be a separate section or unit. The 

30 blocks in the control system CS1 are referred to as 
sections for convenience. 

The control system CS1 accesses the data from 
the CDRPs RP1 and RP2 and the fraud intelligence 
unit Fh and matches the accessed data with a set of 

35 rules which the control system stores. The rules ap- 
pear in Figs. 3 to 13 and define the existence of vari- 
ous levels of fraud events such as HHa, HHb, HH, H, 
M, and L. If the data matches a high level HHa, the 
control system CS1 signals the signal transfer point 

40 STP1 to disconnect the ongoing call. If the level is 
HHb, it signals the signal transfer point STP1 to block 
the next call from the access source ADS. 

The control system CS1 also transfers informa- 
tion about detected fraud events to the CSAM CSA1 

45 to raise alarm signals so that the network personnel 
can take appropriate manual control. Such manual 
operation may override the control system CS1 and 
disconnect selected calls or block selected calls, or to 
inhibit the disconnect of blocking action of the control 

50 system CS1 . The CSAM CSA1 can also enter new in- 
formation into the fraud intelligence unit FI1 data- 
base. 

In Fig. 2, the control system CS1 receives the set 
of records from the CDRPs RP1 and RP2 and enters 
55 it to the received records buffer section RBS1. The 
analysis section AS1 receives the data from the buf- 
fer section RBS1 and uses the data from the fraud in- 
telligence unit FI1 to derive vectors each of which con- 
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forms to a data element or characteristic in the rules 
in Figs. 3 to 13. In other words, in order to match the 
data to the rules, the data must be in the format of 
each of the elements or characteristics of the rules. 
Accordingly, the analysis section AS1 vectors which 
specify whether a call is: 

- During business hours. 

- During non-business hours. 

- Excessively long. 

- Domestic calls. 

- To a limited dialed NPA = 800. 

- To a termination number - CPE. 

- To a country code. 

- ANI = CPE (Automatic Number Identification 
with Customer Premises Equipment). 

- Using SDN-NRA (Software Defined Network - 
Network Remote Access). 

- To a suspected country code. 

- Using a bad ANI. 

- Of short duration. 

- Using repeated ANI. 

- From non-frequent caller. 

- To successive different dialed numbers. 
Using suspected patterned dialing. 

- With a connect time difference using a less 
than PDD (Post Dialing Delay) + e, i.e. going 
from one to another number quickly. 

- Using an invalid authorization code. 

- With a number of calls in repeat set greater 
. than threshold. 

- Using a SDN Software defined network (vir- 
tual private network). 

- Using different ANI to same termination No. 

- Using the same authorization code from an- 
other location greater than at least one call con- 
tinuing. 

- Having greater than call duration overlap. 

- With simultaneous use of mobile number. 

- Cellular. 

- Of the same MIN (Mobile Identification Unit). 

- Using distance between call locations/elapsed 
time greater than a given value x. 

- Multiple calls from same ANI (Automatic Num- 
ber Identification) greater than x. 

- Repeated dialed numbers. 

. - Terminating at a number which is a known 
DISA/RMATS (Direct Inward Switched Ac- 
cess/Remote Maintained Access Test System 
Maintained Port). 

- Originating in suspect NPA-NXX or pay phone. 

- Multiple calls from same ANI. 

- CPE (Customer Premise Equipment) to a 
Known high fraud country. 

- CPE (Customer Premise Equipment) to known 
medium fraud country. 

- Non CPE type of service. 

- Suspicious terminating number. 

- Multiple calls billed to same number. 



- Multiple 800 calls exceeding preset number. 
It will be understood that other vectors may be de- 
rived, and that the above list is by no means inclusive 
of all vectors possible. Other embodiments do not use 

5 all the aforementioned vectors. 

Some of these vectors deal with quantitative val- 
ues such as whether a call is short or long. The ana- 
lysis section AS1, in deriving the vectors, compares 
each quantitative value with a threshold to produce a 

w vector that indicates a high or low quantity such as a 
long call or short call. The thresholds may be varied 
manually or automatically with the time of day, time 
of the month, or other circumstances, to change the 
critical it y of the data. 

15 The rules section RS1 stores the rules in Fig. 3 

to 13 in the form of a look-up table. Each horizontal 
box in Figs. 3 to 13 is a rule. In each box, the left side 
lists elements corresponding to vectors and the right 
side of each box indicates the action priority associ- 

20 ated with the elements in the left side. The section 
RS1 of the processor scans the set of characteristics 
or vectors of a particular call and compares all the 
vectors with each of the rules in the boxes in Figs. 3 
to 13. It determines if the vectors of a call matches a 

25 rule. 

In Figs. 3 to 1 3, each rule is associated with a let- 
ter designation representing an action priority, such 
as HHa, HHb, H, M, and L. Action priorities are L for 
low, M for medium, H for high, HHa and HHb for very 
30 high. These designations represent the action cate- 
gories which the control system CS1 would execute, 
if the rule became "true". They depend upon the se- 
riousness and the certainty of detection. 

If any set of the vectors matches all the elements 
35 in a rule, the rules section RS1 designates the partic- 
ular action priority indicated in the rule. Various dif- 
ferent calls may have vectors which satisfy several 
rules. 

HHa and HHb are the categories that represents 

40 the highest priority of the action categories. In this 
case, it is considered that the detected event is cer- 
tain to be fraudulent and automatic action to prevent 
the incident is taken by the control system. If the fraud 
event is that of a hacker's attempt to break into the toll 

45 network, then the preventive action is to block his 
next attempt by diverting it to a ring busy terminal. 
This action is signified by the action priority being 
HHb. If the action priority is HHa, then the solution is 
to disconnect the call which is in progress. 

so The fraud containment section FC1 responds to 

the rules section RSI and sends out an alert report to 
the CSAM CSA1 and the FIU FI1 with respect to all 
the action priorities. If the action priority is HHb, it in- 
structs the signal transfer points STP1 and STP2 to 

55 hold that information in a network control point NCP 
which handles the call processing of service calls. 
The latter then blocks succeeding calls from the 
same caller for a specific time. It does this by divert- 
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ing the call to a ring busy terminal. 

If the action priority is HHa the fraud containment 
section FC1 instructs the signal transfer point STP1 
and STP2 to make the originating action control point 
ACPO or the terminating action control point ACPT 
disconnect or otherwise disable the call. This causes 
the switch to disconnect the call. Thus the fraud caller 
will experience a hang-up in the middle of a call. If 
successive calls within a predetermined time period 
arrive from that telephone, that call will be treated by 
blocking as for action priority HHb. 

An action priority H carries the detection of a 
fraud event which is of slightly lower certainty but 
nevertheless, needs immediate attention. The fraud 
control section FC1 , in this case, calls for a human de- 
cision to execute prevention action. Such action is ini- 
tiated from the corporate security administration 
monitor CSAM by sending special command which 
may result in the same actions as described above. 

An action priority M indicates a further grade of 
less certainty of detection and the action treatments 
similar to that of H except that the human decision to 
take preventive action can be more deliberate and 
calculated to take many other aspects of the case, de- 
riving from intelligence which are not available to the 
machine. 

Action priority L is the lowest category. Preven- 
tive action is again human initiated, but is expected to 
be very infrequent for this category. 

For all these categories, the fraud control section 
FC1 enters the following information from the call re- 
cord to the fraud intelligence database. 

- Originating number 

- Dialed number 

- Terminating number 

- Authorization Code used 

- Action priority 

The fraud intelligence database FI1 stores this in- 
formation for future calls. It bestows a capability of 
learning from experience to an otherwise mechanical 
rule-based system. The CSAM CS1 can constantly 
edit and monitor the intelligence thus collected via hu- 
man supervision to prevent the detection process be- 
ing corrupted by the uncontrolled growth of obsolete 
information. 

The rules in Figs. 3 and 4, boxes 310 to 414 deal 
with CPE fraud. Here, boxes 334 and 410 result in 
HHa action priorities. 

The rules in Figs. 5 and 6, boxes 510 to 524 and 
61 0 to 61 7 deal with the possibility of cellular fraud or 
SDN-NRA (Software Defined Network - Network Re- 
mote Access) fraud. Here, for example, in the match- 
es of 520, a long SDN-NRA international call during 
regular business hours using a bad AN I and suspect- 
ed country code results in an HH (higher H) action pri- 
ority. Matches at boxes 510 and 514 result in high ac- 
tion priorities whereas matches at boxes 517, 524, 
610, 614, and 617 produce low or medium action pri- 



orities. 

Figs. 7 to 1 3 deal mainly with multiple call events. 
These fraud scenarios require the characteristics 
contained in a number of records of the recent past. 

5 In one embodiment of the invention, the rules in these 
figures are implemented with individual thresholds for 
each rule. Figs. 7 and 8 deal specifically with fraud 
involving hacking to remote access ports of CPE 
(Customer Premises Equipment) and SDN-NRA 

w (Software Defined Network - Network Remote Ac- 
cess). The rules in Fig. 9 detect fraud situations in- 
volving multiple calls where the same SDN authoriza- 
tion code or cellular MIN may be used, as well as suc- 
cessive cellular calls where the originating locations 

is are too far apart to be originated by the same caller. 

Figs. 10 to 12 shows the rules that apply to mul- 
tiple calls when the calls are likely to be actual fraud 
calls through the CPE (Customer Premises Equip- 
ment). Figs. 11 and 12 show the rules for detecting the 

20 outgoing leg of actual fraud calls being perpetrated, 
possibly by call sellers. 

Fig. 1 3 shows rules for detecting various kinds of 
miscellaneous fraud, e.g. third party fraud, collect call 
fraud, and card fraud to bypass 800 numbers blocks 

25 from pay phones. 

As is evident, boxes 334, 410, and 510ordain ac- 
tion priority HHa which result, according to an em- 
bodiment of the invention, in fraud containriient sec- 
tion FC1 signalling to disconnect the ongoing call and, 

30 according to an embodiment, to block the next im- 
mediate call if it comes from the same caller. Boxes 
810, 824, 830, 914, 917, and 924 cause the rules sec- 
tion RS1 via fraud containment section FC1 to signal 
blocking of succeeding calls which come from the 

35 same caller and have characteristics having action 
priority HHb. 

Fig. 14 is a flow chart showing operation of the 
control system CS1 in Figs. 1 and 2. In Fig. 14, step 
1404, the control circuit CS1 accesses new records 

40 from the CDRPs RP1 and RP2 and from the fraud in- 
telligence unit FI1 . The received-record buffer section 
RBS1 in the control system CS1 accesses and stores 
prefiltered records from the CDRPs RP1 and RP2 
and other control systems CS1 at other locations and 

45 removes the oldest data if the buffer is full. The ana- 
lysis section stores the data from the fraud intelli- 
gence unit FI1. 

In step 1407, the analysis section AS1 in the con- 
trol system CS1 accesses the next sequential record 

so from the buffer section RBS 1 and vectorizes the data 
in the record by using the data from the fraud intelli- 
gence unit FI1. For example, vectorizing involves tak- 
ing an ANI and querying the FIU FI1 if it is a bad ANI. 
If so, the analysis section AS1 defines it as "Using a 

55 bad ANI* and thereby places it in a format that con- 
forms to the format of a data element or characteristic 
in the rules section RS1 so that the record can be 
matched with the record in the rules of Figs. 3 to 13. 
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It includes applying appropriate thresholds, and refer- 
ring to the records to the FIU database when needed. 

In step 1420, the rules section RS1 receives the 
data from the analysis section AS1 and scans the 
vectors and compares them with the next (or the first, 
if this is the first) rules to see if they match the rules. 

In step 1424, the rules section RS1 asks and acts 
if any of the combinations of vectors in this call match 
a rule, i.e. match all the data elements or character- 
istics of a rule. If yes, the rules section RS1 goes to 
step 1427 and directs an action priority dictated by 
the rule to the fraud containment section FC1. If not, 
it returns to step 1407 and accesses the next record. 

Upon receiving the action priority, the fraud con- 
tainment FC 1 issues an alert report to the CSAM CS1 . 
In step 1430, it adds the action priority and call data 
to the database of the fraud intelligence unit FI1 and 
the CSAM. 

In step 1434, the fraud containment section FC1 
determines if the action priority is HHa. If yes, the 
fraud containment section FC1 proceeds to step 1437 
and sends a signal to disconnect the caller and, in an 
embodiment, to blocks the next immediate call from 
that caller. It also returns the process to step 1404. If 
the answer in step 1434 is no, in step 1440, the fraud 
containment section FC1 asks if this is of action pri- 
ority HHb. If yes, in step 1444, fraud containment sec- 
tion FC1 sends a signal to block the next call and re- 
turn the operation to step 1404. If no, it returns the op- 
eration to step 1407. 

While the various steps in Fig. 14 were ascribed 
to various sections RBS1, AS1, RS1, and FC1 of the 
control system CS1, these can be performed by any 
form of processor arrangement in the system SC1 . 
The invention is not limited to this section arrange- 
ment nor this series of steps. The system CS1 may 
perform its function of combining the data and com- 
paring it to the rules stored therein to obtain an action 
priority in any number of other ways. 

While only two action control points and CDRPs 
appear in the drawings, it will be evident that other ac- 
tion control points may be part of the network, and 
each has a CDRP which communicates with the con- 
trol system CS1. 

According to an embodiment of the invention, the 
rules section RS1 of the control system CS1 distin- 
guishes between calls that it can identify as possibly 
fraudulent from a single call, such as shown in boxes 
334 and 410, and identifications that require a num- 
ber of calls, such as hacking. The former are called 
single call events and the latter multiple calls events. 
The rules section RS1 then first attempts to match 
only vectors using data from the CDRPs with boxes 
having single call events. Thereafter, it scans and 
matches vectors with the data from both the CDRPs 
and the fraud intelligence unit FI1 with the remaining 
boxes. 

In an embodiment, a different version of the rules 



in Fig. 10 is obtained by considering out of business 
hour calls. In those rules, if the calls come in from sus- 
picious NfPA-NXX, or pay phones (indicated by ii dig- 
its), the threshold will be lower (single call) for action 

5 priority H. Otherwise the action priority is at least as 
high as that for rules applying to business hour calls. 

It will be noted that the control system CS1 is con- 
nected to the fraud intelligence unit FI1 for querying 
the unit's database for information which is required 

w during the fraud detection process. This connection is 
also used by the control system CS1 to enter and de- 
lete information in the database of the fraud intelli- 
gence unit FI1, when fraud information which is ob- 
tained from detected events is saved for future use. 

is According to an embodiment the fraud events 

which are to be detected are expressed in the form of 
Boolean rules. These rules are logical expressions 
each of which describes a particular fraud scenario. 
These rules describe certain basic characteristics of 

20 a fraud event or fraud vectors. The rules are executed 
logically in the control system processor, and if the 
outcome of a rule is "true", then a corresponding 
fraud event has been detected. If false, there is no 
fraud event detected by that rule and the processor 

25 moves on to apply the next rule. This process runs 
continuously, to apply all the rules in the repertoire of 
the control system, for every new X-record which is 
pumped into the RBS1 from the CDRPs RP1 and 
RP2. 

30 According to an embodiment, in the received re- 

cord buffer section RBS1, the records are arranged 
in a chronological scheme, the latest set being on the 
top and the oldest set being dropped from the buffer 
at the bottom. The received record buffer section 

35 RBS1 holds about 4 hours worth of prefiltered re- 
cords (X-records) and this serves as a form of short 
term historical data store. 

In an embodiment of Fig. 2, the analysis section 
AS1 uses the database of the fraud intelligence unit 

40 FI1 in the analysis process. It first examines an X-re- 
cord from the received record buffer section RBS1 in- 
formation element by information element, and deter- 
mines its characteristics of fraud. 

The X-records contain in general, a mix of quan- 

45 titative and qualitative information. In an embodi- 
ment, the latter are also expressed in the form of bi- 
nary coded decimal digits, which encode the quali- 
ties. But, the fraud scenario rules are in terms of vec- 
tors. Thus, the analysis section AS1 converts the 

so quantitative and encoded qualitative information of 
the X-record into corresponding vectors. 

In this embodiment, the method is based on two 
separate procedures. In the simplest of cases, a 
quantitative value is compared against some thresh- 

55 old values (which are conveniently arranged to be ad- 
justable), in a simple equation or inequality expres- 
sion. For example, consider the information element 
called "call duration" which is expressed in the record 
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in terms of seconds. This needs to be vectorized to 
just two vectors, short and long. It is done in the fol- 
lowing expression, which is executed during the ana- 
lysis procedure. 

If call duration <= t1 then short. 

If call duration >= t2 then long. 

The thresholds t1 and t2 are adjustable, which 
makes the definition of short and long relative. 

In an embodiment, the analysis section AS1 re- 
duces the information elements of an X-record to vec- 
tors in this rule based manner. For some others, es- 
pecially the telephone numbers, the analysis section 
AS1 refers to the fraud intelligence unit FI1 database 
in order to derive its vectors. For example, the analy- 
sis section may consider a typical originating number 
on an X-record. To determine if this is a PBX number, 
it queries the FIU if this is on the list of suspected 
ANTs. It also determines if the originating number on 
the X-record is from a suspicious calling area from 
where a large number of fraud calls are made by re- 
ferring to the FIU FI1. The analysis unit AS1 obtains 
such information by a query to the fraud intelligence 
unit FI1 database. The information is found there, be- 
cause it was entered there previously. 

Further, it determines if the originating number is 
a repeating originating number of many calls which 
have been made within the last 4 hours by searching 
through the record of the buffer section RBS1. It de- 
termines if this is "Using repeated ANI". The analysis 
unit AS1 derives this vector by matching the same 
originating number in many of the records which are 
in the RBS1. If the number of occurrences exceed a 
threshold N1 it is significantly repeating. This search 
and match operation is carried out to obtain vectors 
which are needed before the rules for multiple call 
fraud events are applied. 

Thus, in this embodiment, by repeated applica- 
tion of these steps to the information elements of the 
X-record, the analysis unit AS1 converts the records 
to vectors. In addition to the vectors, the analysis unit 
AS1 retains some of the information elements from 
the original X-record as they are. These are: 

- Record ID 

- Call ID 

- Toll Switch ID 

- Originating number 

- Dialed number 

- Terminating number 

- Authorization code. 

These numbers are used in post detection ac- 
tions of prevention, and record keeping procedures. 
These are retained in addition to their vector forms. All 
others are used in their vector form only. 

As stated, the rules section RS1 classifies fraud 
events into two classes called a single call event and 
a multiple call event. The single call event requires the 
analysis of the information elements in the record of 
a single call only. For example, a record may bear the 



following information: 
International call 
Call made from a PBX 
Long duration call 

5 Off-business hour call 

Terminating in a high fraud country. 
This scenario does not need the information con- 
tained in any other records to declare that this record 
represents a fraud event. Figures 3 to 6 describe 

10 many scenarios of single call fraud events which the 
rules section RS1 includes in its repertoire. 

Multiple call fraud events require the information 
carried on more than one record. The rule which de- 
scribes such an event in the rules section RS1 will 

15 contain vectors which refer to characteristics which 
can only be derived from analyzing and comparing 
several records. 

The rules section RS1 derives these characteris- 
tics by the analysis and comparison of many records. 

20 Figs. 7 to 12 contain examples of fraud scenarios of 
this class. In general, this class represents the more 
difficult to detect fraud events. A 4 hour storage re- 
quirement of the RBS1 is used for the detection of this 
class of events. This chronological store of records al- 

25 lows the rules section RS1 to perform the required 
comparison among the collected records to detect 
such events. However, records of time durations, 
such as 2 to 8 hours, may also be used. 

The rules depicted in the Fig. 13 cover a large 

30 number of rules of both these classes and enable the 
detection system to be capable of detecting most of 
the commonly committed fraud acts. In the figure, the 
vectors of the rules are represented as a list implying 
that they all must be present concurrently to make the 

35 rule "true". In other words, the "AND" designation of 
the boolean expression has been dropped. Additions 
and deletions to the rules may be made with ease to 
give high flexibility to the process. 

To disconnect a call, the fraud containment sec- 

40 tion FC1 responds to the action priority from the rules 
section RS1 and sends a message to the signal trans- 
fer points STP1 and STP2. The section FC1 gives the 
identity of the switch and the call which originated 
there, along with a command which makes the switch 

45 operate as if the call has been terminated by the 
called party. This causes the switch to disconnect the 
call and go through all the normal procedures which 
accompany the termination of a call. Thus the fraud 
caller will experience a hang-up in the middle of a call. 

so If a second call from that telephone is initiated, that 
call will be treated by blocking as for the case HHb. 

In the switch network TSN, signal transfer points 
STP respond to the fraud control section to operate 
on originating and terminating action control points 

55 ACPO and ACPT which disconnect calls coming from 
an access demand source ADS and going to an 
egress EGR. In the switch network TSN, signal trans- 
fer points STP coact with network control points NCP 
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to operate on originating and terminating action con- 
trol points ACPO and ACPT which block calls coming 
from an access demand source ADS and going to an 
egress EGR. Call data may pass directly between the 
originating access control points ACPO and ACPT 
and the fraud intelligence unit FI1. 

The basic nature of the detection process which 
is employed is that of an expert system which em- 
ploys recognition of the various elemental character- 
istics of the phenomenon which is to be detected. It 
is rule-based and heuristic in nature, as opposed to 
mathematical methods based on statistical parame- 
ters and multidimensional representations. The heur- 
istic method of the invention, is very flexible, adapt- 
able, and is not based on statistical studies of the 
fraud events. Natural neural systems, which are the 
result of millions of years evolution, are based on sim- 
ilar heuristic strategies, in which the incoming infor- 
mation is filtered to obtain a finite set of characteris- 
tics and building up more complex composites from 
them, which act as templates for matching and final 
detection. 

Short calls cannot be detected until after termin- 
ation. The CDRPs transmit short calls to the control 
system CS1 immediately after termination. 

In an embodiment, the fraud intelligence unit in- 
cludes a processor that organizes the database to 
deal with query and response from the control system 
CS1 . 

The information to the FIU FI1 is initially entered 
manually on the basis of prior fraud cases. To provide 
the fraud intelligence unit FU1 with further initial in- 
formation, the control system CS1 is then set in a 
"training mode" before it is fully deployed. In this 
mode, the control system is inhibited from executing 
any preventive actions, but freely detects fraud 
events. In this mode, it adds to the initial human input 
by pumping important intelligence data to the data- 
base of the fraud intelligence unit FI1. This data can 
be carefully monitored and used for detection, when 
fully deployed. When fully deployed, the control sys- 
tem CS1 updates the database of the fraud intelli- 
gence unit FI1 with information on new fraud events. 

To increase the flexibility of the detection proc- 
ess, any information which is considered as contribut- 
ing to increase the certainty of detection can be stor- 
ed in the fraud intelligence unit FI1 database and re- 
ferred to at the time of analysis. No restrictions based 
on mathematical consistency need apply. 

The Control System CS1 can be located centrally 
or in a distributed manner as one per switch office, ac- 
cording to the economics and performance require- 
ments of the telephone switching network TSN. In 
either case, it is situated conveniently to collect call 
detail records from all the toll switches of the tele- 
phone switching network TSN. 

In the embodiment of Fig. 1, the call detail re- 
cords are arranged to be collected from the switches 



ACPO and ACPT via their CDRPs RP1 and RP2 and 
RP2. The records are collected in real time, which 
means that the data about a call are available at the 
control system CS1 while the call is still in progress. 
5 Continuous elapsed time data is made available for 
calls which are in progress. In the case of very short 
calls the data on the calls are collected immediately 
thereafter. 

From a very high level point of view, the main 
w functions of the control system CS1 are to: 

(1) detect fraud events by analyzing call records, 

(2) execute actions as indicated by action priori- 
ties, and 

(3) communicate as needed with the CDRPs, the 
15 database of the fraud intelligence unit FI1, and 

the corporate security administration monitor 
CSAM. 

The real-time operating system of the control 
system CS1 performs the first two functions in a cy- 

20 die fashion and the third one on a on-demand or 
needed basis. The detection, the execution of ac- 
tions, and the presentation of information to the cor- 
porate security administration monitor CSAM takes 
place in a cyclic fashion, whereas the CDRPs RP1 

25 and RP2 and RP2 and the corporate security admin- 
istration monitor CSAM are serviced as they interrupt 
the control system CS1 with a demand for service. 
The control system CS1 will query the database of 
the fraud intelligence unit FI1, as required in the ana- 

30 lysis of the call detail information contained in the call 
records, during the detection process. 

In Figs. 3 to 13, the rules are arranged in a pyra- 
midal fashion, moving from a very general scenario to 
more and more defined and restrictive scenarios. The 

35 more restricted the scenario is, the higher is the de- 
tection certainty that the event is fraudulent. 

In an embodiment, to block a call, the fraud con- 
tainment section FC1 responds to the action priority 
from the rules section RS1 and sends a special mes- 

40 sage to the signal transfer point STP1. The message 
contains a command to block the next call from a spe- 
cified ANI. The STP signal transfer point STP1 will 
distribute this command to the correct Network Con- 
trol Point NCP, which handles the call processing of 

45 all business service calls. The network control point 
NCP will then, divert the call to a ring busy terminal, 
which will frustrate the caller's attempt to use the net- 
work. 

In step 1437, the fraud containment section FC1 
so acts to disconnect the caller and block the next call 
from the caller. According to an embodiment of the in- 
vention, the next call is not blocked. 

According to an embodiment of the invention, the 
FIU FI1 contains a processor which performs the 
55 matching functions with data from the analysis sec- 
tion AS1. 

While embodiments of the invention have been 
described in detail, it will be evident to those skilled 
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in the art that the invention may be embodied other- 
wise without departing from its scope. 



Claims 

1. The method of controlling access of a user to a 
resource, comprising: 

storing, in a control data base, a set of at- 
tributes concerning an access from an access 
demand source; 

maintaining a rules data base of rules con- 
cerning attributes for determining corrective ac- 
tion; 

determining whether data the control data 
base matches the rules in the rules data base; 
and 

effecting corrective action by disconnect- 
ing the access during access time in response to 
a match between data in the control data base 
and data in the rules data base. 

2. A method as in claim 1, wherein storing in the 
control data base includes storing in a first ac- 
cess data base a first set of attributes concerning 
the ongoing access. 

3. A method as in claim 2, wherein storing in the 
control data base includes storing in a second ac- 
cess data base a second set of attributes con- 
cerning the history of prior accesses made by the 
access demand source; 

the step of determining whether data the 
access data base matches the rules in the rules 
data base includes determining whether to dis- 
connect the access, block future accesses, or 
take other action; and 

the step of effecting corrective action in- 
cludes disconnecting the access, blocking future 
accesses, or taking other action. 

4. A method as in claim 3, wherein said step of stor- 
ing data in said second access data base in- 
cludes storing one of the following: 

- PBX ANIs (Private Branch Exchange Auto- 
matic Number Identifications), 

- University PBX's and Centrex's, 

- Suspicious NPAs-NXX for originating num- 
bers, 

- Suspicious terminating numbers, 

- Known bad ANIs, 

- Suspicious country codes, 

- Forbidden country codes, 

- Compromised Authorization Codes, 

- ANI's from detected fraud events, 

- Originating numbers from detected fraud 
events, 

- Terminating numbers from detected fraud 



events, 

- Authorization codes from detected fraud 
events, 

- Other files as required by CSAM (Tele- 
5 phone Corporation Security Administration 

Monitor). 

5. A method as in claim .3 or claim 4, wherein the 
step of storing in the second access data base in- 
to eludes updating the second access data base 

with data from accesses having matches in the 
determining step. 

6. A method as in claim 5, wherein the step of star- 
ts ing in the second access data base includes up- 
dating the second access data base with data 
from accesses having matches in the determin- 
ing step. 

20 7. A method as in any of claims 2-6, wherein said 
storage in sais first access data base includes 
storing one or more of the following attributes: 
requesting user 
request time 
25 length of use 

destination requested 

user authorization code [ 

whether use request is cellular. 

30 8. A method as in any of the preceding claims, 
wherein the data in said rules data base includes 
access demands made: 

- During business hours, 

- During non-business hours, 
35 - Excessively long, 

- Domestic accesses, 

- To a limited dialed MPA = 800, 

- To a termination number = CPE, 

- To a country code, 

40 - ANI = CPE (Automatic Number Identifica- 

tion with Customer Premises Equipment), 

- Accesses using SDN-NRA (Software De- 
fined Network - Network Remote Access), 

- To a suspected country code, 
45 - Using a bad ANI, 

- Of short duration, 

- Using repeated ANI, 

- From non-frequent accessor, 

- To successive different dialed numbers, 
50 Using suspected patterned dialing, 

- With a connect time difference using a less 
than PDD (Post Dialing Delay) +e, i.e. going 
from one number to another quickly, 

- Using an invalid authorization code, 

55 - With a number of accesses in repeat set 

greater than threshold, 

- Using a SDN (Software Defined Network) 
virtual private network, 
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- Using different ANI to same termination 
No., 

- Using the same authorization code from an- 
other location greater than at least one ac- 
cess continuing, 5 

- Having greater than access duration over- 
lap, 

- With simultaneous use of mobile number, 

- Cellular, 

- Of the same MIN, w 

- Using distance between access loca- 
tions/elapsed time greater than a given value 

- Multiple accesses from same ANI (Auto- 
matic Number Identification) greater than 15 
x, 

- Repeated dialed numbers, 

- Terminating at a number which is a known 
DISA/RMATS (Direct Inward Switched Ac- 
cess/Remote Maintained Access Test Sys- 20 
tern Maintained Port), 

- Originating in suspect MPA-NXX or pay- 
phone, 

- Multiple accesses from same ANI, 

- CPE (Customer Premise Equipment) to a 25 
known high fraud country, 

- CPE (Customer Premise Equipment) to a 
known medium fraud country, 

- Non CPE type of service, 

- Suspicious terminating number, 30 

- Multiple accesses billed to same number, 

- Multiple 800 accesses exceeding preset 
number. 

9. A system controlling access of a user to a re- 35 
source, comprising: 

a control data base with a set of attributes 
concerning an ongoing access from an access 
demand source; 

rules data base with rules concerning at- 40 
tributes for determining corrective action; 

means for determining whether data in the 
control data base matches the rules in the rules 
data base; and 

means for effecting corrective action by 45 
disconnecting the access during access time in 
response to a match between data in the control 
data base and data in the rules data base. 

10. A system as in claim 9, wherein said control data so 
base includes a first access data base with a first 

set of attributes concerning the ongoing access. 

11. Asystem as in claim 10, wherein the control data 
base incfudes a second access data base with a 55 
second set of attributes concerning the history of 
prior accesses made by the access demand 
source; 



the means for determining whether data in 
the access data base matches the rules in the 
rules data base includes means for determining 
whether to disconnect the access, block future 
accesses, or take other action; and 

the means for effecting corrective action 
includes means for disconnecting the access, 
blocking future accesses, or taking other action. 

12. Asystem as in claim 11, wherein said second ac- 
cess data base includes data on one of the follow- 
ing: 

- PBX AN Is (Private Branch Exchange Auto- 
matic Number Identifications), 

- University PBX's and Centrex's, 

- Suspicious NPAs-NXX for originating num- 
bers, 

- Suspicious terminating numbers, 

- Known bad AN Is, 

- Suspicious country codes, 

- Forbidden country codes, 

- Compromised Authorization Codes, 

- ANI's from detected fraud events, 

- Originating numbers from detected fraud 
events, 

- Terminating numbers from detected fraud 
events, 

- Authorization codes from detected fraud 
events, 

- Other files as required by CSAM (Tele- 
phone Corporation Security Administration 
Monitor). 

13. A system as in claim 11 or claim 12, wherein the 
control data base includes means for updating 
the second access data base with data from ac- 
cesses having matches in the means for deter- 
mining. 

14. Asystem as in claim 13, wherein the control data 
base includes means for updating the second ac- 
cess data base with data from accesses having 
matches in the means for determining. 

15. A system as in any of claims 10 to 14, wherein 
said storage in said first access data base in- 
cludes storage for one or more of the following at- 
tributes: 

requesting user 
request time 
length of use 
destination requested 
user authorization code 
whether use request is cellular. 

16. Asystem as in any of claims 9 to 15, wherein rules 
data base includes storage of access demands 
made: 
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During business hours, 
During non-business hours, 
Excessively long, 
Domestic accesses, 

To a limited dialed MPA = 800, 5 
To a termination number = CPE, 
To a country code, 

AN I = CPE (Automatic Number Identifica- 
tion with Customer Premises Equipment), 
Accesses using SDN-NRA (Software De- w 
fined Network - Network Remote Access), 
To a suspected country code. 
Using a bad AN I, 
Of short duration, 

Using repeated ANI, is 

From non-frequent accessor, 

To successive different dialed numbers, 

Using suspected patterned dialing, 

With a connect time difference using a less 

than PDD (Post Dialing Delay) +e, le. going 20 

from one number to another quickly, 

Using an invalid authorization code, 

With a number of accesses in repeat set 

greater than threshold, 

Using a SDN (Software Defined Network) 25 

virtual private network, 

Using different ANI to same termination 

No., 

Using the same authorization code from an- 
other location greater than at least one ac- 30 
cess continuing, 

Having greater than access duration over- 
lap, 

With simultaneous use of mobile number, 
Cellular, 35 
Of the same MIN, 

Using distance between access loca- 
tions/elapsed time greater than a given value 

T, 

Multiple accesses from same ANI (Auto- 40 
matic Number Identification) greater than 
x, 

Repeated dialed numbers, 
Terminating at a number which is a known 
DISA/RMATS (Direct Inward Switched Ac- 45 
cess/Remote Maintained Access Test Sys- 
tem Maintained Port), 
Originating in suspect MPA-NXX or pay- 
phone, 

Multiple accesses from same ANI, so 

CPE (Customer Premise Equipment) to a 

known high fraud country, 

CPE (Customer Premise Equipment) to a 

known medium fraud country, 

Non CPE type of service, 55 

Suspicious terminating number, 

Multiple accesses billed to same number, 

Multiple 800 accesses exceeding preset 




number. 
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(54) Resource access control system. 

(57) Access of a user to a resource, such as a 
telecommunications network, includes storing, 
in a first call data base, a first set of attributes 
concerning an ongoing call from a caller. A 
second call data base stores a second set of 
attributes concerning the history of prior calls 
made by the caller. A rules data base stores 
rules concerning attributes for determining 
whether to disconnect the call, block future 
calls, or take other action. A determination is 
made whether data in at least one of the call 
data bases matches the rules in the rules data 
base. The call is then disconnected, the next 
call blocked, or other action is taken, in res- 
ponse to a match between data the call data 
bases and data in the rules data base. Prefer- 
ably, the second call data base is updated in 
response to matches with the rules data base. 



FIG. 2 



^CCRJS 
CORPS 



XCOflOS F30M 
OTHER CONTROL 
SYSTEMS — 



CONTROL 
SYSTEM 

v— 



RECEIVED 
RECORD 
9UFFEB 
SECTION 



■I INTELLIGENCE 
UNIT 



ANILYSiS 
5EC-ICN 



*JL£S 
SECTION 



T=AU0 VECTORS 
=61 



-SSi 



rCl 



-FAUO 
C0NTA;»l. 
SECTION 



ALL3T 
*E?CRT 



UJ 



Jouve, 18, rue Saint-Denis, 75001 PARIS 



EP 0 653 868 A3 



3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 94 30 8082 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (lnt.CI.6) 



X 
A 

A 

P.X 



EP-A-0 212 654 (A.T.T.) 

* column 1, line 43 - column 4, line 21 * 

WO-A-93 12606 (CELLULAR TECHNICAL SERVICES 
COMP.) 

* abstract * 

US-A-5 144 649 (ZICKER ET AL) 

EP-A-0 583 135 (A.T.T.) 

* abstract * 



1.2.9.1C 
1,9 



H04M3/42 
H04M3/38 
H04M3/36 
H04Q3/00 
H04M3/22 



1-3,9-11 



TECHNICAL FIELDS 
SEARCHED (bt.C1.6) 



H04M 

H04Q 



The present search report has been drawn up for all claims 



Plan of* 

THE HAGUE 



Data of coaaplctkoa of tht learck 

28 August 1995 



Vandevenne, M 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken alone 

Y : particularly relevant if combined with another 

document of the same category 
A : technoiogicaJ background 
O : cion -written disclosure 
P : intermediate document 



T : theory or principle underlying the invention 
E : earlier patent document, but published on, or 

after the filing dale 
D : document cited in the application 
L : document cited for otter reasons 

ft : member of the same patent fanliy, corresponding 
document 



2 



